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ABSTRACT 

DDoS-for-hire services, also known as booters, have com¬ 
moditized DDoS attacks and enabled abusive subscribers of 
these services to cheaply extort, harass and intimidate busi¬ 
nesses and people by knocking them offline. However, due 
to the underground nature of these booters, little is known 
about their underlying technical and business structure. In 
this paper we empirically measure many facets of their tech¬ 
nical and payment infrastructure. We also perform an anal¬ 
ysis of leaked and scraped data from three major booters— 
Asylum Stresser, Lizard Stresser and VDO—which provides 
us with an in-depth view of their customers and victims. Fi¬ 
nally, we conduct a large-scale payment intervention in col¬ 
laboration with PayPal and evaluate its effectiveness. Based 
on our analysis we show that these services are responsible 
for hundreds of thousands of DDoS attacks and identify po¬ 
tentially promising methods of increasing booters’ costs and 
undermining these services. 

1. INTRODUCTION 

Distributed Denial-of-Service (DDoS) attacks are be¬ 
coming a growing threat with high profile DDoS at¬ 
tacks disrupting many large scale gaming services, such 
as Microsoft’s XBox Live and Sony’s PlayStation net¬ 
works at the end of 2014 [^. These attacks were later 
claimed to be launched by the Lizard Squad as ad¬ 
vertisements for their new DDoS-for-hire service called 
Lizard Stresser |^. There is a long line of technical 
work exploring how to detect and mitigate these types 
of attacks 

However, a large amount of DDoS attacks are being 
launched by relatively unsophisticated attackers that 
have purchased subscriptions to low-cost DDoS-for-hire 
(commonly called booter) services. These services are 
operated by profit-motivated adversaries that have scaled 
up their DDoS infrastructure to meet the increasing de¬ 
mand for DDoS attacks. Despite the threat they pose, 
little is known about the structures of these booter ser¬ 
vices and potential weaknesses in their operations that 
could be used to undermine them. 

In this paper we undertake a large scale measure¬ 
ment study of these booter services to understand how 


they are structured both technologically and econom¬ 
ically with the focus of isolating potential weaknesses. 
We explore booters from three different angles including 
analysis of leaked and scraped data, measurements of 
their attack infrastructure and a payment intervention. 

Our analysis of leaked and scraped data from three 
booters—Asylum Stresser, Lizard Stresser and VDO[P 
demonstrates that these services have attracted over 
6,000 subscribers and have launched over 600,000 at¬ 
tacks. We also find that the majority of booter cus¬ 
tomers prefer paying via PayPal and that Lizard Stresser, 
which only accepted Bitcoin, had a minuscule 2% sign¬ 
up to paid subscriber conversion rate compared to 15% 
for Asylum Stresser and 23% for VDO, which both ac¬ 
cepted PayPal. By analyzing attack traffic directed at 
our own servers we are able to characterize the set of 
amplifiers they use to direct large amounts of traffic at 
their victims. In order to measure the resilience of their 
payment infrastructure, we conduct a payment inter¬ 
vention in collaboration with PayPal. Our evaluation 
of the effectiveness of this approach suggests that it is 
a promising method for reducing the subscriber base of 
booters. 

In this paper, we further our understanding of the 
booter ecosystem through our measurements. Based on 
this we identify potential improvements to ongoing ef¬ 
forts to disrupt their attack infrastructure and an alter¬ 
native and possibly more effective method of undermin¬ 
ing these services by targeting their payment infrastruc¬ 
ture. Overall, we find a few places where costs might 
be marginally increased by more precisely mapping out 
and targeting parts of their attack infrastructure. We 
document how a large-scale payment intervention by 
PayPal impacts booters, including service closures. Fi¬ 
nally, we detail some of their strategies for evading de¬ 
tection by PayPal and discuss how these increase the 
effort and costs associated with performing an ongoing 
payment intervention. 

^We assign each booter service a unique three letter code 
based on their domain name to avoid unintentionally ad¬ 
vertising their services. The two exceptions are Asylum 
Stresser, which ceased operation before our study and Lizard 
Stresser, which has already been highly publicized. 
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2. BACKGROUND 


In this section we explain the high level business and 
technical structure of hooter services as well as the un¬ 
derlining ethical framework for our measurements. 

2.1 Booter Services 

Thinly veiled booter services have existed since at 
least 2005 and primarily operate using a subscription- 
based business model. As part of this subscription model, 
customers or subscribers 0 can launch an unlimited num¬ 
ber of attacks that have a duration typically ranging 
from 30 seconds to 1-3 hours and are limited to 1-4 
concurrent attacks depending on the tier of subscription 
purchased. The price for a subscription normally ranges 
from $10-$300 USD per month depending on the dura¬ 
tion and number of concurrent attacks provided. These 
services claim that they are only to be used by network 
operators to stress test their infrastructure. However, 
they have become synonymous with DDoS-for-hire and 
are a growing threat due to the fact that they have 
commoditized DDoS attacks that reach upwards of 2- 
3 Gbps. By offering a low-cost shared DDoS attack 
infrastructure, these criminal support services have at¬ 
tracted thousands of malicious customers and are re¬ 
sponsible for hundreds of thousands of DDoS attacks a 
year as we will show in Section 

These services can be found by visiting underground 
forums where they advertise and by web searches for 
terms, such as “stresser” and “booter.” The services 
are all in English; we did not find any evidence of sim¬ 
ilar services that are focused on other markets, such as 
Asian or Russian. They maintain frontend sites that al¬ 
low their customers to purchase subscriptions and launch 
attacks using simple web forms. Their backend infras¬ 
tructure commonly consists of databases that maintain 
subscriber information, lists of misconfigured hosts that 
can be used for DDoS amplification and most rent high- 
bandwidth Virtual Private Servers (VPS) for attacks 
rather than using botnets. Ironically, booter services 
depend on DDoS-protection services, such as Cloud- 
Flare, to protect their frontend and attack infrastruc¬ 
ture from attacks launched by rival competing booter 
services. 

Figure [^provides a detailed illustration of the infras¬ 
tructure and process of using a booter service. ((^) 
The customer first locates a booter site and visits their 
frontend Webserver, which is normally protected by Cloud- 
Flare. ((^) The customer must next purchase a sub¬ 
scription using a payment method, such as Bitcoin or 
PayPal. ((^) The customer then uses the frontend 
interface to request a DDoS attack against a victim. 
((^) This request is forwarded from the frontend server 
to one of the backend attack servers. ((^) The back- 

^We use these two terms interchangeably in this paper. 


^ PayPal ^ QbitCOjn 

(2) Back-end server(s) 



Figure 1: Structure of hooter services. 


end server then sends spoofed request packets to a set 
of previously identified vulnerable amplification servers. 
((^) Finally, DDoS traffic in the form of replies is sent 
to the victim from the abused amplification servers. 

2.2 Ethical Framework 

As part of the ethical framework for our study, we 
placed a number of restrictions on the types of booter 
services we actively interacted with and what we in¬ 
cluded in this paper. First, we did not engage with 
any DDoS service that advertised using botnets. For 
example, in the case of Lizard Stresser, when we be¬ 
came aware that a botnet was being used, we imme¬ 
diately abandoned plans to collect active attack mea¬ 
surements from this service and restricted ourselves to 
passive measurements. Our victim server was connected 
by a dedicated 1 Gbs network connection that was not 
shared with any other servers. We also obtained con¬ 
sent from our network operators before conducting any 
DDoS attack experiments. When services used reflec¬ 
tors, we minimized the attack durations. 

When purchasing a subscription for a Booter service, 
we selected the cheapest option to minimize the amount 
of money given to these services. In total, we spent 
less than $140 and no individual booter service received 
more than $19 in payments as part of the measurements 
in this paper. Payments were made primarily using 
PayPal and we assumed that proper controls were put 
in place at PayPal to mitigate the risk of money flowing 
to criminal groups. Also, the 9 hooters that overlapped 
with our payment intervention study likely lost larger 
sums of money due to our reporting of their PayPal 
accounts than we paid to them. 

We received an exemption from our Institutional Re¬ 
view Board (IRB), since our study did not include any 
personally identifiable information and was based on 
publicly leaked data and measurements of services that 
are publicly accessible. Finally, we did not disclose the 
identity of customers or operators of these services even 
when we became aware of their identities and we did not 
reveal the identities of any victims unless they had been 
previously publicly disclosed. 
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Booter 

Period 

All Users 

Subscribers 

Revenue 

Attacks 

Targets 

Asylum Stresser 

10/2011-3/2013 

26,075 

3,963 

$35,381.54 

483,373 

142,473 

Lizard Stresser 

12/2014-01/2015 

12,935 

176 

$3,368 t 

15,998 

3,907 

VDO* 

12/2014-2/2015 

11,975 

2,779 

$52,773* 

138,010 

38,539 

Total 

- 

50,985 

6,918 

$91,522.54 

637,381 

184,919 


Table 1: Summary of Asylum Stresser and Lizard Stesser leaked databases and seraped VDO reported data. ^ Revenue was eonverted 
from hiteoin to USD. ^Revenue is estimated based on subseription eost and number of paying subseribers. ^ Domain name is abbreviated 
to the first three eharaeters. 


3. RELATED WORK 


DDoS attack and defense techniques have been stud¬ 
ied for close to two decades 

There have also been several empirical studies of DDoS 
attacks in the wild using backscatter analysis which 
were revisited by Wustrow et al. 32 . More recent stud¬ 


ies have measured Network Time Protocol (NTP) based 
DDoS attacks and conducted broader measurements 
of UDP amplifiers along with introducing methods to 
identify spoofing-enabled networks 


13 


Other studies have explored the structure of botnet 
based DDoS attacks and malware [6 28 . However, 


the closest related work to ours in this vein is by Kiihrer 
et al. which monitored the impact of DDoS attacks on 
and an analysis of a leaked database from a 


victims 31 


single booter service done by Karami and McCoy 12 


Our work differs from this previous work in that we are 
focused on holistically understanding the stakeholders 
and infrastructure these booter services rely on to op¬ 
erate across a larger set of booter services. 

Our study is in the same vein as prior work that views 
security problems through an economic lens . We set 
out to understand the stakeholders and infrastructure of 
criminal DDoS-for-hire enterprises as has been done in 
other domains, such as abusive advertising 15 17 30 
and fake anti-virus 25 . Since hooters are a criminal 


support service rather than the previously studied do¬ 
main of abusive advertising, they operate under a dif¬ 
ferent set of constraints. In this respect our work is 
more along the lines of studies focused on criminal sup¬ 
port services, such as email spam delivery 
social links 


27 and fake account creation |29| . While 


26 


fake 


this same follow-the-money and payment intervention 
approach has been explored in previous studies 
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our 

study is the first, to our knowledge, that explores the ef¬ 
fectiveness of this method against more robust criminal- 
to-criminal payment methods rather then consumer-to- 
criminal payments. 

The largest contribution of our study is in charac¬ 
terizing the ecosystem of subscription-based booter ser¬ 
vices, which has not been studied in much depth. We 
show that these hooters are structured differently than 
traditional botnet based DDoS services that are rented 
for a fixed time period in terms of the underlying at¬ 
tack infrastructure, customer base, business model and 
payment methods. We believe that our findings enable 


Operator 

Subscriber 

CC 

% 

CC 

% 

US 

44.06% 

US 

47.58% 

PK 

15.03% 

DE 

10.45% 

CA 

13.99% 

GB 

5.60% 

GB 

6.29% 

NL 

4.87% 

AU 

3.15% 

RU 

4.81% 


Table 2: Top eountry IP geoloeations of logins for booter oper¬ 
ator's and subseriber’s PayPal aeeounts. 


a better understanding of the effectiveness of ongoing 
efforts to disrupt their attack infrastructure at the am¬ 
plifier and hosting level, a preliminary evaluation of the 
potential effectiveness of a payment intervention along 
with a detailed analysis of the nature of these services 
and how they are structured. 

4. INSIDE VIEW OF BOOTERS 

In this section, we analyze publicly leaked backend 
booter databases, scraped data and aggregated PayPal 
account data. From this analysis we present some num¬ 
bers to better understand the dynamics and scale of 
booter services. This includes, the amount of revenue 
generated, the number of users and their probable ge¬ 
olocation, the number of victims and the number of 
attacks initiated by the subscribers of these services. 

4.1 Data Sets 

Our datasets for this section are comprised of ag¬ 
gregated PayPal account geolocation data provided by 
PayPal, two leaked backend databases for Asylum and 
Lizard Stresser and scraped data from VDO. A sum¬ 
mary of these data sets is included in Table and Ta¬ 
ble Before presenting our analysis we will first de¬ 
scribe each of these data sets in more detail. 

VDO Scraped Data. At the time we started mon¬ 
itoring VDO to measure the scale of its operation in 
early December 2014, it was one the top booter ser¬ 
vices on underground forums with a high rate of pos¬ 
itive reviews. During an eight weeks period ending in 
early February 2015, we crawled this booter every 10- 
minutes to collect data on users of the service and de¬ 
tails of attacks launched by them. We found VDO to 
be unique in reporting a wealth of public information 
on their users and attack details. This data includes all 
users that logged into the services in the past 15 minutes 
and distinguishes paying subscribers from unpaid users. 
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In addition, it displays a list of all currently running at¬ 
tacks that includes the type of the attack, the target 
of the attack, duration and the time remaining for the 
attack to be finished. Users can optionally choose to 
remain anonymous and hide attacks, but the default is 
for all information to be public. Less than 30% of login 
records scraped were anonymous and 39% of all attacks 
seen were hidden. 

While we cannot fully vet this self-reported data, we 
did verify that the data representing our actions were 
reported accurately. We also validated that all NTP at¬ 
tacks reported for a day were accurate by sending mon- 
list requests in 10-minute intervals to a set of 12 NTP 
amplifiers known to be abused by VDO and recorded 
the received responses. A total of 44 distinct victims 
were the target of NTP attacks as reported by VDO 
during that 24 hour time period and we were able to 
find matching records for all 44 targets in the mon¬ 
list responses collected from the set of monitored NTP 
servers. This gives us some increased level of confidence 
that the details of reported attacks and users are accu¬ 
rate. 

Asylum Stresser Backend Database. Asylum Stresser 
was an established booter that was in operation for over 
two years before their backend database was publicly 
leaked, which covered 18 months of operational data 
that included user registrations, payments and attack 
logs. It ceased operation shortly after the leak and has 
not resumed operation. This leaked database has been 
vetted by many members of the anti-DDoS community 
that located their own test accounts in the user regis¬ 
tration data and is believed to be authentic. 

Lizard Stresser Backend Database. Lizard Stresser 
was launched in late December of 2014 by individuals 
calling themselves the Lizard Squad. This same group 
was responsible for DDoS attacks on Sony PlayStation 
and Microsoft Xbox networks on December 25, 2014. 
Later, the group announced that the attacks were meant 
to demonstrate the power of Lizard Stresser, a booter 
service they started to offer to users on a subscription 
basis. As the attack infrastructure used by this service 
was backed by hacked home Internet routers, we did 
not directly interact with this service. However, their 
backend database covering their first two weeks of op¬ 
eration that included user registrations, payments and 
attack logs was publicly leaked. For this database, since 
all payments were in bitcoin and the wallet addresses 
are included, we have validated that this part of the 
database is accurate. We have also checked for internal 
consistency within these leaked databases. While we 
cannot rule out that some of the data has been fabri¬ 
cated, it would take a fair amount of resources to create 
this high fidelity of a forgery. 

Aggregated PayPal Data. In order to understand 
where booter operators and subscribers are potentially 


located, we use aggregated data provided to us by Pay¬ 
Pal that was computed from all the accounts identified 
by PayPal as belonging to booter operators and sub¬ 
scribers. This data did not include any scale on the 
number of booter and subscriber accounts included in 
the dataset. It was computed by assigning the location 
for each account to the country from which the majority 
of their logins occurred and computing the percentage 
of accounts assigned to each country. In the case that 
an account did not have a majority of their logins occur¬ 
ring in a single country it was removed from the dataset. 
This accounted for 3% of subscriber accounts and none 
of operator accounts. Also, IP addresses for proxies, 
VPN services, hosting service and Tor were removed 
using a database from IP2Location|^ 

4.2 Subscribers 

We find that 15% of Asylum users and 23% of all 
VDO users purchased a subscription, however less than 
2% of all Lizard Stresser users purchased a subscrip¬ 
tion. This might be attributed to the fact that Asylum 
and VDO both accepted PayPal payments at least spo¬ 
radically while Lizard Stresser only accepted Bitcoin as 
a payment method. It is difficult to attribute why the 
conversion rate of registered users to subscribers is much 
less for Lizard Stresser, since other factors, such as the 
media coverage, might have also driven many users to 
sign up out of curiosity. However, anecdotally 42 of 
the 225 support tickets mention that the user wants to 
purchase a subscription using PayPal. As one potential 
attacker wrote, “I want to pay via paypal real bad Pm 
a huge fan of and want to buy this ASAP but I don’t 
have bit coins.” 

Based on the aggregated geolocation information pro¬ 
vided by PayPal in Table over 44% of the customer 
and merchant PayPal accounts associated with Booters 
are potentially owned by someone in the United States. 
There are many inherent limitations of this data which 
we cannot correct or quantify due to the highly aggre¬ 
gated nature of the data. These include the fact that 
booter services create multiple accounts to replace ones 
that are limited by PayPal. Thus it might be the case 
that a few booter services control a large number of 
the total accounts and are biasing the location and the 
same might hold for customers as well. Assuming it 
is accurate, this might support the notion that these 
services are to some extent limited in their ability to 
accept payments using virtual currencies, such as Web- 
money, which block residents in the United States from 
creating accounts. 

4.3 Revenue 

Ayslum earned an average of $2,079/month. How- 

^IP2Proxy IP-Country Database —http: //www. 

ip21ocation.com/databases/ip2proxy 
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01/2012 01/2013 


Figure 2: Asylum Stresser monthly revenue. 


ever, as Figure shows their revenue started at a mod¬ 
est $500/month and grew to over $3,000/month to¬ 
wards the end of the leaked data period. Also, it is 
interesting to note that their revenue from subscrip¬ 
tion renewals was $16,025.12 and almost equal to the 
$19,356.42 earned from new subscriptions. The Lizard 
Stresser leak only covers 2 weeks in which time they 
earned $3,368 and VDO earned an estimated $24,737/month 
confirming that VDO was operating at a far larger scale. 
Asylum collect 99.4% ($35,180.14) of their revenue through 
PayPal payments and only 0.6% ($201.40) of their rev¬ 
enue was collected using their secondary payment method 
of Money Bookers. Lizard Stresser collected all their 
revenue through their only supported payment method 
of Bitcoin and VDO accepted both PayPal and Bit- 
coin. All of this underscores the fact that revenue from 
paid subscriptions and renewals is the driving factor for 
operating these services and expanding them to grow 
customer bases. They are presumably profitable, but 
these individual hooters do not generate the profits re¬ 
quired to pay the upfront capital, fees and potential 
fines for dedicated credit card merchant processing ac¬ 
counts, which amounted to around $25-$50K per an ac¬ 
count, as was the case with illicit pharmaceutical and 
fake anti-virus groups that had revenues on the order 
of millions of USD dollars a month 
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4.4 Attacks 

From the leaked data we find that these three hooters 
were responsible for over half a million separate attacks 
against over 100,000 distinct IP addresses. While the 
average attack from VDO only lasted 27 minutes this 
data demonstrates the large-scale abuse problems and 
unwanted traffic generated by these services. Our anal¬ 
ysis of victims finds that they are predominantly resi¬ 
dential links and gaming-related servers, with a small 
number of higher profile victims, such as government. 


journalist and law enforcement sites. This matches pre¬ 
vious analysis of victims from leaked databases 12 . For 
VDO our scraped data included the type of DDoS at¬ 
tack launched and our analysis of this data shows that 
amplified attacks where the adversary attempts to ex¬ 
haust the bandwidth capacity of the victim’s connection 
accounted for 72% of all attacks launch from VDO. The 
next most popular class of attacks were SYN flooding 
attacks, which made up only 16% of all attacks. 


5. ATTACK INFRASTRUCTURE 

Our measurements of hooters’ attack infrastructure 
are based on engaging with these services to understand 
what techniques and hosts are being actively used for 
attacks. Using this information we provide a better un¬ 
derstanding of cost structure and trade-offs of different 
attack techniques. It also informs defenders as to which 
ISPs and hosts to focus on for blacklisting, remediation 
and notification efforts. Our analysis of frontend servers 
finds a reliance on CloudFlare to protect this infras¬ 
tructure from takedown and DDoS. In addition, we find 
that hooters gravitate to using more stable amplifier in¬ 
frastructure when possible. This differs from previous 
studies that scan the Internet for the vulnerable popu¬ 
lations of misconfigured amplification servers many of 
which might be highly transient and not be used for 
DDoS attacks. We also identify two hosting providers 
connected to the same ISP that are actively courting 
hooter operators and providing stable high bandwidth 
attack servers that allow spoofing. 

This set of measurements is based on data gathered 
from a combination of sources including subscribing to 
hooters and launching attacks against our server, ac¬ 
tive probing measurements and analysis of two hosting 
providers that rent attack servers. 

5.1 Dataset 

Our first task was to identify hooter services for this 
part of our study. Absent a centralized location for 
finding hooters, we found services via search engines 
and advertisements on hacker forums such as hackedfo- 
rums.net. We selected 15 hooter services that received 
the most positive feedback on underground forums for 
our attack infrastructure characterization. The number 
of hooters was kept relatively small in order to minimize 
the amount of money we paid to these services, which 
totaled less than $140 and no individual hooter service 
received more than $19. We make no claim about the 
coverage these hooters provide of the entire ecosystem. 
Rather, we were looking to provide a sample of stable 
services most of them ranked highly for search terms 
associated with hooter services and they also garnered 
the most positive replies to their advertisements on un¬ 
derground forums. 

We purchased a one month subscription from each 


5 






































Booter 

Attack Types 

Cost 

AND 

DNS 

$6.60 

BOO 

NTP, Chargen 

$2.50 

CRA 

DNS,SSDP 

£10.99 

GRI 

NTP,SSDP 

$5.00 

HOR 

NTP,SSDP 

$6.99 

INB 

DNS,NTP,SSDP 

$11.99 

IPS 

NTP,SSDP,Chargen 

$5.00 

K-S 

SSDP,Chargen 

$3.00 

POW 

SSDP 

$14.99 

QUA 

DNS,SSDP 

$10.00 

RES 

DNS,NTP 

$10.00 

SPE 

DNS,NTP,SSDP,Chargen $12.00 

STR 

DNS,SSDP 

$3.00 

VDO 

DNS,NTP,SSDP 

$18.99 

XR8 

DNS 

$10.00 


Table 3: List of hooter services we measured, which of the four 
attack types included in our measurements each hooter offered 
and cost of cheapest one month subscription. 


of the services which ranged from $2.50-18.99 and fo¬ 
cused on measuring amplification attacks based on our 
measurements of VDO that showed this was the most 
common type of attack and the fact that amplification 
attacks were the default attack type for all 15 hooters. 
More precisely, we chose to measure the most common 
amplification reflection attack types offered by the hoot¬ 
ers, which were SSDP, NTP, DNS and Chargen. Table 
shows the set of hooters, which of the four attack types 
that hooter offered and the cost of a basic month sub¬ 
scription. 

We conducted attacks directed at our target server 
from December 2014 - January 2015. The goal of these 
attacks was to map out the set of misconfigured hosts 
that were being used by each hooter to amplify their 
reflection attacks. The configuration of our target sys¬ 
tem used for measuring the attacks was an Intel Xeon 
3.3GHz server running Ubuntu with 32 GB of RAM and 
an isolated 1 Gbps dedicated network connection. 

which is a lossless Gigabit packet 


We used gulp 22 


capture tool to capture attack traffic. Each attack lasted 
for one hour total and was comprised of many shorter 
attack instances of 10 minutes each, which is the stan¬ 
dard time limit for basic subscriptions. The reason¬ 
ing behind the longer attack times was to increase our 
probability of identifying all the misconfigured reflec¬ 
tion hosts used by a hooter for each attack type. How¬ 
ever, we found almost all of the amplification servers 
were identified after the first attack. Therefore we lim¬ 
ited our attacks to shorter durations for the rest of our 
experiments that required launching attacks. 


5.2 Frontend Servers 

Booter services maintain a frontend website that al¬ 
lows customers to purchase subscriptions and launch 
DDoS attacks using convenient drop-down menus to 


specify the attack type and victim’s IP or domain name. 
These frontend websites commonly come under DDoS 
attack by rival hooters and are subject to abuse com¬ 
plaints from anti-DDoS working groups. All 15 hooters 
in our study use CloudFlare’s DDoS protection services 
to cloak the ISP hosting their frontend servers and to 
protect them from abuse complaints and DDoS attacks. 

As part of this study we contacted CloudFlare’s abuse 
email on June 21st 2014 to notify them of the abu¬ 
sive nature of these services. As of the time of writing 
this paper, we have not received any response to our 
complaints and they continue to use CloudFlare. This 
supports the notion that at least for our set of hooters 
CloudFlare is a robust solution to protect their fron¬ 
tend servers. In addition, crimeflare.com has a list of 
over 100 hooters that are using CloudFlare’s services to 
protect their frontend servers. 

5.3 Attack Servers 


Provider 

VPS IP 

Uplink speed 

Bandwidth 

Monthly cost 

CaVPS Host 

192.210.234.203 

3.5 Gbps 

Unmetered 

$35 

Spark Servers 

96.8.114.146 

949 Mbps 

10 TB 

$60 


Table 4: Spoofing enabled VPS services. 

Renting back-end servers to generate attack traffic is 
the primary source of cost for the operators of booter 
services. We did some research to get a broad sense of 
the market availability and cost of back-end servers that 
allow the source IP address to be spoofed. Being spoof 
friendly, fast uplink speed and high caps or unmetered 
bandwidth usage are the key requirements of a server 
appropriate for supporting the operation of a booter 
service. 

In order to understand if these services delivered on 
their claims of allowing spoofing and providing the band¬ 
width they advertised we rented Virtual Private Servers 
(VPS) from two hosting providers that advertised on 
underground forums. Table summarizes the services 
that we purchased. Both of the VPSs we purchased 
were connected to the same ISP (ColoCrossing) in the 
US. We also verified that both VPSs allowed spoofing 
and measured their actual link speeds. One VPS pro¬ 
vided around IGbps uplink bandwidth and the other 
one interestingly provided up to 3.5Gbps. The servers 
we purchased were virtual and therefore running on 
shared hardware. A busy booter service would need to 
use dedicated servers with more resources to support its 
operation. The price range for a dedicated servers with 
a link speed of IGbps and unlimited bandwidth usage 
was around $300-$500. Due to budget limitations we 
could only rent these two VPSs and did not rent any 
higher end dedicated servers. However, our initial re¬ 
sults show that this is a potentially effective method of 
mapping out abusive hosting and we plan to scale this 
part of our measurements as future work. 
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Chargen 

DNS 

NTP 

SSDP 

Booter 

(#) 

(%) 

(#) 

(%) 

(#) 

(%) 

(#) 

(%) 

ANO 

- 

- 

1,827 

73% 

- 

- 

- 

- 

BOO 

370 

65% 

- 

- 

1,764 

86% 

- 

- 

CRA 

- 

- 

43,864 

56% 

- 

- 

64,874 

46% 

GRI 

- 

- 

- 

- 

1,701 

72% 

10,121 

60% 

HOR 

- 

- 

- 

- 

8,551 

58% 

242,397 

30% 

INB 

- 

- 

38,872 

55% 

4,538 

92% 

170,764 

54% 

IPS 

1,636 

44% 

- 

- 

1,669 

85% 

90,100 

29% 

K-S 

1,422 

30% 

- 

- 

- 

- 

5,982 

76% 

POW 

- 

- 

- 

- 

- 

- 

1,424,099 

11% 

QUA 

- 

- 

10,105 

85% 

- 

- 

39,804 

67% 

RES 

- 

- 

2,260 

82% 

27 

100% 

- 

- 

SPE 

2,358 

38% 

26,851 

61% 

6,309 

35% 

258,648 

24% 

STR 

- 

- 

93,362 

53% 

- 

- 

7,126 

74% 

VDO 

- 

- 

16,133 

82% 

6,325 

82% 

150,756 

62% 

XR8 

- 

- 

44,976 

52% 

- 

- 

- 

- 

Total 

4,565 

23.46% 

181,298 

35.30% 

17,599 

42.31% 

2,145,015 

11.84% 


Table 5: Number of total amplification servers and percentage of overlap with amplifications servers used by other hooters. 


5.4 Attack Techniques 

Due to their effectiveness, amplified volume-based at¬ 
tacks are the default attack technique offered by most 
booter services. We focused our analysis on SSDP (more 
commonly known as Universal Plug and Play (UPnP)), 
DNS, NTP and Chargen. These attacks depend on 
servers running misconfigured UPnP, DNS resolvers, 
NTP and Chargen services that enable attackers to am¬ 
plify attack traffic by sending spoofed packets with the 
victim’s source address in the IP header and having 
these services respond with a larger amount of traffic 
directed to the victim. 

We have also seen booter services offering reflection- 
based attacks by misusing popular web Content Man¬ 
agement Systems (CMS) such as WordPress and Joomla 
to generate and direct HTTP requests to target web 
servers. 

In addition, many hooters offer direct attacks includ¬ 
ing TCP SYN, and UPD flood where the attack spoofs 
the source IP address and directly sends packets to 
the victim. Some hooters also implement HTTP-based 
attacks including HTTP POST/GET/HEAD, RUDY 
(R-U-Dead-Yet) and Slowloris using proxies to conceal 
their attack server’s IP address. 

5.5 Amplifiers 

As part of our measurements we can map out the set 
of amplifiers that are being abused to magnify the traffic 
volume of attacks. This sheds light on the population 
of hosts that are not only vulnerable to amplification 
attacks, but are actively being abused. Table shows 
that the set of abused Chargen and NTP servers are 
smaller and more highly shared between two or more 
services, whereas there is an ample supply of DNS and 
SSDP servers that are used as amplifiers. However, the 
overlap of DNS servers used by two or more booter ser¬ 
vices is still relatively high suggesting that these DNS 
resolvers might be more stable, have higher bandwidth 


cc 

% 

AS 

% 

Chargen 

CN 

48.78% 

4134 (Chinanet) 

14.46% 

US 

12.51% 

37963 (Hangzhou Alibaba Advertising) 

10.47% 

KR 

5.50% 

4837 (CNCGROUP Chinal69 Backbone) 

6.88% 

RU 

4.58% 

17964 (Beijing Dian-Xin-Tong Network) 

2.61% 

IN 

2.56% 

7922 (Comcast Cable Communications) 

2.61% 

DNS 

US 

12.38% 

4134 (Chinanet) 

2.68% 

RU 

11.58% 

3462 (Data Communication Business Group) 

2.15% 

BR 

9.19% 

18881 (Global Village Telecom) 

1.46% 

CN 

6.84% 

4837 (CNCGROUP Chinal69 Backbone) 

1.45% 

JP 

3.61% 

7922 (Comcast Cable Communications) 

1.27% 

NTP 

US 

31.47% 

3462 (Data Communication Business Group) 

14.01% 

TW 

15.29% 

46690 (Southern New England Telephone) 

12.35% 

CN 

10.68% 

7018 (AT&T Services) 

4.84% 

KR 

5.50% 

4134 (Chinanet) 

3.58% 

RU 

4.74% 

4837 (CNCGROUP Chinal69 Backbone) 

2.18% 

SSDP 

CN 

36.26% 

4837 (CNCGROUP Chinal69 Backbone) 

18.98% 

US 

19.37% 

4134 (Chinanet) 

11.16% 

EG 

6.83% 

8452 (TE Data) 

6.61% 

AR 

5.37% 

22927 (Telefonica de Argentina) 

5.13% 

CA 

5.36% 

7922 (Comcast Cable Communications) 

4.60% 


Table 6: Top country locations and autonomous systems for 
amplifiers. 


connections and be in more limited supply. 

5.6 Amplifier Location 

As demonstrated by Table both the geolocation 
and AS of amplifiers used by hooters are fairly diffuse. 
There are a few notable exceptions, such as the con¬ 
centration of Chargen amplifiers in China with three 
Chinese ASs connecting 34% of these amplifiers. In ad¬ 
dition, there is a slight concentration of abused NTP 
servers connected to one Taiwanese AS and two United 
States network operators. This might indicate a poten¬ 
tial to focus notification and patching efforts on these 
networks, given the limited pool of hosts used for Char¬ 
gen and NTP attacks from Table Eeeds of these ac¬ 
tively abused servers could also be distributed to these 
network operators and to DDoS mitigation services. 

5.7 Amplifiers Churn 
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Figure 3: IP churn of amplifiers. 


In order to measure the stability of these amplifiers 
we probed them periodically for 13 weeks to understand 
how many were still located at the same IP and vulner¬ 
able to abuse. As shown in Figure the set of DNS 
resolvers were the most stable with nearly 80% still vul¬ 
nerable and located at the same IP after one month and 
over 60% were still misconfigured after 13 weeks. This 
result is counter to the previous results of churn based 
on Internet wide scanning that found a 50-60% churn 
rate for DNS servers after one week 13 . It indicates 


that hooters have gravitated to using a more stable set 
of DNS resolvers and that focusing mitigation efforts 
on these might cause these DNS attacks to be less effi¬ 
cient and require additional bandwidth and cost. From 
our measurements, SSDP servers where the least stable 
with a 50% churn rate after only a single week. This re¬ 
sult agrees with the previous Internet wide scanning re¬ 
sult and indicates that either hooters have not found or 
there might not exist a set of more stable SSDP servers. 


5.8 Amplification Factor 

One of the few direct costs incurred for every attack a 
hooter service launches is the bandwidth sent from their 
rented attack servers. In order to reduce this cost am¬ 
plification attacks are used for volume-based flooding 
attacks. Some attack methods can potentially produce 
a larger amplification factor then others, but there are 
many factors that effect the amplification factor. Our 
measurements largely agree with the lower-end band¬ 
width amplification factor numbers reported in a pre¬ 
vious study 


13 , with NTP attacks resulting in an av¬ 


erage amplification factor of 603 times, Chargen being 
the next largest at 63 times, DNS resulting in an aver¬ 
age of 30 times amplification and SSDP generating the 
smallest average amplification factor of 26 times. This 
and the limited number of NTP amplifiers confirms that 
the communities focus on prioritizing notification and 
patching of misconfigured NTP servers is the correct ap¬ 
proach. We also suggest that some effort be placed into 
efforts to notify operators of servers with misconfigured 


and abused Chargen services, since these are the next 
largest threat and there is also a potentially constrained 
supply. 

6. PAYMENT INTERVENTION 

As part of our study we sought out opportunities to 
understand and also measure the effectiveness of un¬ 
dermining DDoS Services. In this section, we present 
our measurements of a payment intervention that was 
conducted in collaboration with PayPal. 

We find that reporting accounts to responsive pay¬ 
ment service providers, such as PayPal, can have the 
desired effect of limiting their ability and increasing the 
risk of accepting payments using these payment ser¬ 
vices. Although, this technique requires constant mon¬ 
itoring of the hooters and drives them to move to more 
robust payment methods, such as Bitcoin. 

6.1 Payment Ecosystem 

At the onset of our study the majority of booter ser¬ 
vices accepted credit card payments via PayPal as their 
primary mechanism for receiving funds from their cus¬ 
tomers. In addition to PayPal, some hooters accepted 
bitcoin payments and a limited number of hooters also 
accepted credit card payments using Google Wallef|^ 
and virtual currencies, such as WebMoney and Per¬ 
fect Money—these last two prohibit customers from the 
United States from opening an account and using their 
platform. 

We identified a larger set of 60 booter services [^that 
accepted PayPal and created custom crawlers to moni¬ 
tor their payment methods and merchant accounts for 
about 6 weeks from April 22, 2014 through June 07, 
2014. These hooters were located from underground 
forum advertisements and web searches for terms com¬ 
monly associated with booter services. Again we make 
no claim about the coverage these hooters provide of 
the entire ecosystem. To minimize the effect of unstable 
hooters on our study, the final set of hooters included 
in our analysis was limited to the 23 stable booter ser¬ 
vices that were able to successfully use PayPal to receive 
funds for at least half of the time before the PayPal in¬ 
tervention and used at least one PayPal account after 
the intervention. Nine of these 23 booter services over¬ 
lapped with the set of 15 hooters measured in section 
among the reasons that six hooters were not included 
in this measurement is that some did not accept PayPal 
and others did not accept PayPal over half the time in 
the first 6 week period. 

^Google phased out their digital goods payment processing 
at the start of March 2015 — https://support. google. 
com/wallet/business/answer/6107573 
""This set is larger than the previous set, since we did not 
have to pay for a subscription in order to monitor their pay¬ 
ment accounts. 
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Booter 

accounts before 

accounts after 

Status 

ANO * 

6 (8.2) 

7 (2.9) 

/ 

AUR 

6 (7.2) 

6 (2.7) 

X 

BOO • 

6 (8.3) 

11 (2.7) 

/ 

CRI t 

4 (9.0) 

1 (2.0) 

X 

DAR ^ 

4 (6.0) 

5 (4.8) 

/ 

DIA t 

3 (15.7) 

0 (-) 

X 

GET 

2 (14.0) 

1 (4.0) 

/ 

GRI * 

4 (10.5) 

1 (6.0) 

/ 

HAZ o 

4 (12.2) 

5 (5.6) 

/ 

IDD o 

3 (7.7) 

2 (9.0) 

/ 

IPS o 

3 (7.3) 

5 (5.4) 

/ 

POW 

5 (4.5) 

9 (5.0) 

/ 

PRI 

6 (8.8) 

2 (1.0) 

X 

QUA 

11 (4.3) 

22 (1.8) 

/ 

RAG • 

13 (3.9) 

4 (2.0) 

/ 

REB 

2 (11.5) 

9 (2.3) 

X 

RES * 

6 (8.2) 

7 (2.9) 

/ 

SNO 

1 (-) 

0 (-) 

X 

STA 

5 (13.0) 

3 (5.3) 

/ 

STR 

1 (47.0) 

1 (4.0) 

/ 

TIT o 

12 (5.3) 

17 (2.9) 

/ 

XRS 

4 (10.5) 

11 (1.6) 

/ 

XRS • 

8 (5.2) 

4 (2.5) 

X 


119 (7.84) 

133 (3.07) 



Table 7: Number of PayPal accounts used by monitored hooters 
before and after the intervention. The numbers within the () are 
the average lifespan of the accounts used by that hooter. Accounts 
that are active both before and after are counted only in the before 
and not included when computing the average lifespan. Matching 
symbols indicate that this set of hooters shared at least one PayPal 
account. These shared accounts might be instances of a third 
party agreeing to accept payments for these services. 


After collecting our initial data on the stability of 
their PayPal merchant accounts, we reported these hooter’s 
domains and accounts to PayPal and they began to 
monitor merchant accounts linked to these domains and 
suspending them after an investigation. Note that Pay¬ 
Pal will initially limit reported merchant accounts that 
are found to violate their terms of service by accepting 
payments for abusive services and perform an investi¬ 
gation of the account. Once an account is limited the 
merchant cannot withdraw or spend any of the funds 
in their account. This will result in the loss of funds in 
these accounts at the time of freezing and potentially 
additional losses due to opportunity cost while estab¬ 
lishing a new account. In addition, PayPal performed 
their own investigation to identify additional hooter do¬ 
mains and limited accounts linked to these domains as 
well. This had the affect of a large-scale PayPal pay¬ 
ment disruption for the majority of hooter services. 

In order to further understand the effectiveness of 
our payment intervention, we monitored underground 
forums where these hooters advertise their services and 
news feeds from hooters we joined to discover quali¬ 
tative data on the effectiveness of PayPal’s payment 
intervention. 

6.2 Usage Pattern of PayPal Accounts 

Based on our observations, hooter services for the 


ANO 
AUR 
BOO 
CRI 
DAR 
DIA 
GET 
GRI 
HAZ 
i/) IDD 
0 IPS 
■g POW 
O PRI 
^ OUA 
RAG 
REB 
RES 
SNO 
STA 
STR 
TIT 
XR8 
XRS 

04/21 05/01 05/11 05/21 05/31 06/10 06/20 06/30 07/10 07/20 

Date 


PayPal 

Intervention 


Figure 4: PayPal account usage over time. Black asterisks 
denote a new PayPal account and gaps in the blue line represent 
PayPal unavailability for that time period. The red vertical line 
indicates when the reporting of accounts started. 


most part only use a single PayPal account at a time 
to receive payments and change their PayPal merchant 
account when a limit is put on their previous account or 
they proactively change accounts to reduce the risk of 
limits on their previous accounts. We used the dataset 
collected during the initial monitoring period to un¬ 
derstand how frequently hooter services were changing 
their PayPal accounts. Note that our age measures are 
both right and left-censored. For the hooter’s initial 
account our data is left-censored and for the last ac¬ 
count our data is right-censored. However, we believe 
our age measurements accurately represent the effects of 
the PayPal intervention based on our interactions with 
and postings from the hooters themselves. 

Table provides an overview of the PayPal accounts 
observed by our crawler broken down by each service 
monitored. As Table shows accounts had an average 
life time of slightly over a week before the intervention 
with STR and SNO each using a single account that re¬ 
mained active during the entire 47 day initial observa¬ 
tion period and SNO’s account that remained active for 
37 days after the intervention began. On the other end 
of the spectrum, QUA, RAG and TIT changed accounts 
every 4-5 days before the intervention. The impact of 
the intervention can be visually seen in Figure]^ 

Once the target intervention begins the average lifes¬ 
pan of an account drops to around 3.5 days with many 
hooter’s PayPal accounts only averaging around two 
days before they are no longer used again. Figure 
visually shows the impact of the payment intervention 
on the lifespan of hooter services PayPal accounts and 
provides some indication of the time period that elapsed 
between a new PayPal account being actively used to 
accept payments and when PayPal took action against 
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the account or it was proactively replaced. The length 
and number of PayPal outages increase after the in¬ 
tervention, with only QUA and TIT avoiding major 
PayPal outages by resorting to aggressively replacing 
accounts. Note that this replacement strategy was not 
fully effective, since our monitoring infrastructure de¬ 
tected and reported these accounts. 

6.3 Booters’ Status 

As part of our daily monitoring of the 23 booter ser¬ 
vices, we recorded if the service could accept PayPal 
payments and if the site was functional. This enabled 
us to better understand the impact of the payment in¬ 
tervention on the hooter’s ability to accept PayPal pay¬ 
ments and the operation of the service. For each booter, 
we placed it in one of the following statuses each day 
based on the results of our crawl. 

Active: The booter is able to successfully use a PayPal 
account to receive payments from its customers. 
Unreachable/Broken: Either the hooter’s frontend 
website was not responding to HTTP requests, the booter 
service had closed or the frontend site was not func¬ 
tional. 

PayPal Disabled: The hooter’s frontend website is 
active, but the service has either removed PayPal as 
a payment option, or the PayPal account linked to the 
booter website is limited and therefore unable to receive 
payments. 

Figurej^shows the status of booter services over time. 
The vertical line represents the date on which we started 
sharing our data with PayPal and PayPal started to in¬ 
dependently investigate the reported accounts and take 
action against them. As observed in Figure the per¬ 
centage of active hooters quickly drops from 70-80% to 
around 50% within a day or two following the interven¬ 
tion date and continues to decrease to a low of around 
10% and then fluctuating between 10-30%. This re¬ 
sulted in an increase in PayPal unavailability from 20% 
before the intervention to 63% during the intervention. 
In addition, we observed 7 booter services in our study 
shut down their business and most of the remaining 
services switch to alternative payment methods, such 
as Bitcoin. 

6.4 Qualitative Assessments 

In addition to our quantitative measurements, we also 
have qualitative evidence of PayPal’s payment interven¬ 
tions efficacy. By monitoring the underground forums 
where these services advertise we can witness the impact 
of these account limitations. Wrote one booter opera¬ 
tor during the intervention, “So until now 5 time my 
5 PayPal Accounts got Limited on My stresser is other 
stresser have same Problem with the fucking Paypal ? 
is there any solution what we should do about fucking 
Paypal ?” Similarly, customers vented their frustration 


PayPal 



Date 

Figure 5: Status of hooters over time. 

at being unable to purchase a booter service using Pay¬ 
Pal. Wrote one booter customer, “when i go to buy a 
booter it normally says i can’t buy because their PayPal 
has a problem.” 

In a number of cases hooters directly link their closers 
to loss of funds due to PayPal merchant account limi¬ 
tations. This message was posted on the front page of 
a defunct booter service, “It’s a shame PayPal had to 
shut us down several times causing us to take money 
out of our own pocket to purchase servers, hosting, and 
more.” 

6.5 Booter Response 

As with any intervention the adversary, hooters, will 
respond by adapting to the pressure. In this case, we 
do not have enough quantitative measurements to ac¬ 
cess the effectiveness or the full range of responses to 
our attempt to undermine their payment infrastructure. 
However, we have identified several common classes of 
adaptations in response to the intervention. 

Alternate payment methods. Most hooters have 
added Bitcoin as an alternate payment methods and 
have posted links to services that allow customers to 
purchase bitcoins using credit cards or PayPal. In ad¬ 
dition to bitcoins some switched to Google Wallet and 
others added the option to pay using virtual curren¬ 
cies, such as Webmoney and Perfect Money. By all ac¬ 
counts these have resulted in reduced customer bases if 
the booter cannot directly accept credit card payments. 
Evidenced by the fact that many hooters continued to 
replace their PayPal accounts even when previous ones 
were limited and their funds were lost. Assuming that 
alternative payment methods did not result in reduced 
revenue or higher costs there would be little incentive to 
continue using risky payment methods, such as PayPal. 
Referrer anonymizing services. We have noticed 
that some hooters have stopped directly linking to Pay¬ 
Pal and are now linking to an intermediary site and then 
redirecting the customer’s browser from this intermedi¬ 
ary domain to PayPal’s site. This intermediary redirec¬ 
tion site is used to hide the hooter’s real domain name in 
the referrer field from PayPal. A subset of hooters have 


10 




also started to replace this intermediary domain every 
time they replace a PayPal account. The effect of this 
is that it requires active crawling and measurements of 
hooter sites to identify a hooter’s new PayPal account 
bypasses passive methods PayPal could use to linking 
accounts, such as hy using referrers. This has increased 
the difficulty of monitoring hooter’s PayPal accounts 
and effort required to investigate these accounts. 
Offline payment. Finally, in some cases hooters have 
posted that customers must open a ticket to pay using 
PayPal. This method increases the effort to monitor 
the hooter for new accounts, since instead of an au¬ 
tomated crawler someone must now interact with the 
hooter service manually. It also increases the difficulty 
of PayPal’s investigation into the nature of the mer¬ 
chant account. However, this method also requires the 
hooter service to manually activate each account and 
drives away customers that are seeking automated sub¬ 
scription purchasing systems. 

7. DISCUSSION AND FUTURE WORK 

We have gathered a few key points from ours and 
the community’s efforts to understand and undermine 
these DDoS services. Most of these potential strategies 
involve driving up costs of operating hooter services and 
reducing the convenience of subscribing. This might 
force these hooters from operating largely unopposed in 
the open to more resilient hosting, attack and payment 
infrastructure for which they pay a premium due to the 
risk of support services being taken down or blacklisted 
for being associated with DDoS attackers. 

Reducing scale. Limiting access to convenient pay¬ 
ment methods, such as PayPal, had an impact on the 
scale of hooter services based on our quantitative and 
qualitative analysis. However, criminal-to-criminal pay¬ 
ment infrastructure is more resilient then consumer-to- 
criminal payment infrastructure. As future work, we 
plan to understand how to improve the effectiveness of 
these interventions and make them sustainable. This in 
part requires developing more robust monitoring tools 
that better mitigate countermeasures being deployed to 
make their payment methods more robust to interven¬ 
tions. To this end, we are working on building a generic 
crawler that can learn how to navigate a hooter site and 
map out payment accounts. This would reduce the bur¬ 
den of having to create and maintain custom crawlers 
for each site. 

Reducing effectiveness of attacks. We plan to con¬ 
tinue our monitoring efforts of the amplification servers 
used by hooters and begin sharing this information with 
existing patching efforts, such as the OpenResolverPro- 
ject i and OpenNTPProject [^. Along with this, we 
plan to experiment with active notifications sent to the 
ISP and abuse contact for the server. Our hope is that 
by focusing mitigation efforts on actively abused am¬ 


plifiers, we can mitigate the pool of more stable am¬ 
plifiers and thus reduce the effectiveness of hooter at¬ 
tacks as they are forced to use less stable amplifiers and 
protocols with a lower bandwidth amplification factor. 
There is some indications that active notification im¬ 
proves patching rates in another context [^. 
Increasing costs. This might be achieved with an in¬ 
creased effort to locate and blacklist or de-peer low-cost 
hosting services that cater to DDoS attacks by provid¬ 
ing the ability to spoof and unlimited bandwidth. This 
might force these services to pay a premium for bullet¬ 
proof hosting attack servers, which would result in re¬ 
duced profitability or be passed along to subscribers in 
the form of increased subscription costs. In addition, 
convincing CloudFlare and other free anti-DDoS ser¬ 
vices to prohibit these hooter services would increase 
their costs by forcing them to build and pay for anti- 
DDoS services that cater to these abusive hooters. Ad¬ 
mittedly these suggestions will likely not result in large 
cost increases unless tremendous amounts of pressure 
were placed on these parts of their infrastructure. 

8. CONCLUSION 

Unfortunately, there is no silver bullet that will mit¬ 
igate the threat posed by hooter services overnight. 
These hooters have grown in scale due to the perceived 
low-risk nature, their profitability and increasing de¬ 
mand for DDoS attacks as a method of knocking out 
the competition, harassment and censorship on the In¬ 
ternet. 

In this paper we have mapped out a range of support 
infrastructure that hooters depend on in terms of ad¬ 
vertising, attack, hosting and payment. We have also 
measured the effectiveness of ongoing attack infrastruc¬ 
ture interventions and demonstrated the potential effec¬ 
tiveness of a payment intervention. Our measurement 
techniques, including direct observations by interacting 
with these hooters and support services, such as hosting 
providers, highlight potential improvements to ongo¬ 
ing efforts to undermine attack infrastructure by focus 
patching efforts on abused NTP and Chargen servers 
and exposing ISPs and hosting centers that enable these 
attacks. We also demonstrated that payment interven¬ 
tions, which undermine the accessibility of convenient 
payment methods, such as PayPal, can potentially have 
an impact on reducing the scale of these services. Our 
hope is that by continuing to explore new methods for 
understanding and undermining hooters, we can iden¬ 
tify increasingly effective methods of adding friction, 
cost and risk to these ventures that further erodes their 
attack potency, scale and profitability over time. 
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